General

  • Target

    JaffaCakes118_087350dd3a995f36153b082ac706a2cc

  • Size

    2.2MB

  • Sample

    250524-ah38bszwey

  • MD5

    087350dd3a995f36153b082ac706a2cc

  • SHA1

    cbe6fee1bc5a888a85a2c314c16ea0bff426226f

  • SHA256

    e21af39b071a0aeb883ec61cd74caa7b89e4db40bd5931acfe73e8657623bd3c

  • SHA512

    d5690d681690002b46718e062d2875739f01ab83a559e35856ea305e649651df1fd930e83427138e057e7df2530698d04b0691581772625fe85f816be917c030

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ3:0UzeyQMS4DqodCnoe+iitjWwwz

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      JaffaCakes118_087350dd3a995f36153b082ac706a2cc

    • Size

      2.2MB

    • MD5

      087350dd3a995f36153b082ac706a2cc

    • SHA1

      cbe6fee1bc5a888a85a2c314c16ea0bff426226f

    • SHA256

      e21af39b071a0aeb883ec61cd74caa7b89e4db40bd5931acfe73e8657623bd3c

    • SHA512

      d5690d681690002b46718e062d2875739f01ab83a559e35856ea305e649651df1fd930e83427138e057e7df2530698d04b0691581772625fe85f816be917c030

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ3:0UzeyQMS4DqodCnoe+iitjWwwz

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks